[gull-annonces] Résumé SecurityFocus Newsletter #223

Tue Nov 18 10:11:01 CET 2003

TerminatorX Command-line Format String Vulnerability
BugTraq ID: 8992
Remote: No
Date Published: Nov 07 2003
Relevant URL: http://www.securityfocus.com/bid/8992
Summary:
TerminatorX is a freely available, open source music manipulation program.
It is available for the Linux platform.

It has been reported that TerminatorX may be prone to a format string
vulnerability when handling command-line parameters. Specifically, due to
the erroneous usage of a format-based function, it is possible to have
format specifiers passed as the '-f' file argument interpreted by the
program.

As a result, an attacker may be capable of exploiting the application in a
way to execute arbitrary code with elevated privileges. It should be noted
that TerminatorX is not installed setuid by default, however the author
recommends that users make the application setuid root.

TerminatorX Multiple Command-Line and Environment Buffer Ove...
BugTraq ID: 8993
Remote: No
Date Published: Nov 07 2003
Relevant URL: http://www.securityfocus.com/bid/8993
Summary:
terminatorX is a freely available, open source music manipulation program.
It is available for the Linux platform.

It has been reported that TerminatorX may be prone to multiple
vulnerabilities when handling command-line and environment variable data.
The problem specifically occurs due to insufficient bounds checking when
handling the LADSPA_PATH environment variable and the '-f' and '-r'
command-line parameters.

As a result, an attacker may be capable of exploiting the application in a
variety ways to execute arbitrary code with elevated privileges. It should
be noted that TerminatorX is not installed setuid by default, however the
author recommends that users make the application setuid root.

WMAPM Privilege Escalation Vulnerability
BugTraq ID: 8995
Remote: No
Date Published: Nov 08 2003
Relevant URL: http://www.securityfocus.com/bid/8995
Summary:
wmapm is a Window Maker Dock App that is used as a battery power status
monitor for laptops.

wmapm has been reported prone to a local privilege escalation
vulnerability. The vulnerability has been conjectured to result from a
lack of relative path use while the vulnerable dock app is calling the
'apm' binary. As a result of this, a local attacker may manipulate local
path settings and have the setuid wmapm dock app erroneously invoke a
trojan binary that is located in a directory that the attacker has
permissions to write to.

The code contained in the invoked binary will be executed with the
privileges of the vulnerable wmapm app; this may ultimately result in
elevating the privileges of the attacker.

It has been reported that wmapm is setUID operator in FreeBSD if it is
compiled via the ports collection, alternatively if wmapm is compiled from
source on FreeBSD or Linux it is reportedly setUID root.

It should be noted that although this issue has been reported to affect
wmapm version 3.1, previous versions might also be affected.

Epic CTCP Nickname Server Message Buffer Overrun Vulnerabili...
BugTraq ID: 8999
Remote: Yes
Date Published: Nov 10 2003
Relevant URL: http://www.securityfocus.com/bid/8999
Summary:
Epic is a freely available IRC client for Unix and Linux variants.

A remotely exploitable buffer overrun has been reported in Epic.  This
issue may reportedly be exploited by a malicious server that supplies an
overly long nickname in a CTCP message.  It may be also be possible for a
malicious client to send such a message, but it is likely that the server
will limit the length.

Reportedly if a nickname of over 512 bytes is supplied in such a message,
the client may attempt to call alloca() with a negative number, which
could potentially result in corruption of stack memory.  In this manner,
it may be possible for a malicious IRC server to trigger this condition to
execute arbitrary code on the client system in the context of the client
user.

Bugzilla Javascript Buglists Remote Information Disclosure V...
BugTraq ID: 9001
Remote: Yes
Date Published: Nov 10 2003
Relevant URL: http://www.securityfocus.com/bid/9001
Summary:
Bugzilla is a freely available, open source bug tracking system.  It is
available for the Unix, Linux, and Microsoft Windows platforms.

A problem exists in the handling of buglists by Bugzilla when the lists
are implemented with Javascript.  Because of this, a remote user may be
able to gain unauthorized access to sensitive information.

The problem is in the storage of information when placed in Javascript
arrays.  It is possible for a remote user to create a buglink in their
page that correctly reflects information about a bug, including details
which may be restricted from the public due to sensitivity of information.
This may result in unauthorized disclosure of information.

This problem has also been reported to affect bookmarklets.  The issue is
known to affect verion 2.7.15 only.

Winace UnAce Command Line Argument Buffer Overflow Vulnerabi...
BugTraq ID: 9002
Remote: Yes
Date Published: Nov 10 2003
Relevant URL: http://www.securityfocus.com/bid/9002
Summary:
Winace is a file compression/decompression tool that was originally
developed for Microsoft Windows platforms. Winace was ported to Linux
platforms as UnAce.

UnAce has been reported to be prone to a buffer overflow vulnerability.
The issue presents itself when UnAce handles ace filenames that are
greater than 610 bytes in length including the ace file extension. When
this filename is passed to the UnAce utility as an argument for the 'e'
(extract command line switch), the string is copied into a reserved buffer
in memory. Data that exceeds the size of the reserved buffer will overflow
its bounds and will trample any saved data that is adjacent to the
affected buffer. Because variable that are crucial to controlling program
execution flow for UnAce are conjectured to be stored adjacent to the
affected buffer, an attacker may corrupt these values and influence UnAce
program execution flow into attacker controlled memory. Ultimately this
may lead to the execution of arbitrary instructions in the context of the
user who is running UnAce.

If UnAce is associated with a specific file type in for example an
Internet browser, clicking on a malicious ace filename may be sufficient
to result in the execution of arbitrary instructions on an affected host.

PureFTPd displayrate() Remote Denial of Service Vulnerabilit...
BugTraq ID: 9003
Remote: Yes
Date Published: Nov 10 2003
Relevant URL: http://www.securityfocus.com/bid/9003
Summary:
PureFTPd is an FTP server based on Troll-FTPd and designed with a focus on
security. It is available for the BSD and Linux operating systems.

A denial of service vulnerability has been discovered in PureFTPd. The
problem occurs within the displayrate() function. When data returned from
the realpath() function is subsequently tested for a specific value, it
may be possible to trigger a procedure, which will ultimately cause
PureFTPd to crash.

Specifically, the realpath() function is passed two variables, name and
resolved_path. The resolved name is stored in resolved_path, which is then
tested for a zero byte as shown below:

if (resolved_path[sizeof_resolved_path - 1U] != 0)

If this condition is met, PureFTPd will enter an infinite for loop,
continuously writing a zero value to a pointer incremented each iteration.
This will ultimately result in an attempt to write to unpaged memory,
effectively triggering a segmentation violation and thus a denial of
service.

It should be noted that PureFTPd will typically fork a new process for
each new connection to the FTP service, specifically when running as a
standalone server, however it has not been confirmed whether this is
always the case.

If forking children is the only behavior under all configurations, this
condition may not have any implications beyond closing the session of a
malicious user. This BID will be updated, as further details regarding
this information are made available.

*** November 10, 2003 - The vendor has confirmed that the condition occurs
only within the individual session under which the condition occurs.
Furthermore, additonal details made available by the vendor state that
realpath() is designed in such a way that only a specific amount of data
can be filled. As such, the aforementioned test will always always fail.
As a result of this new information, this BID will subsequently be
retired.

Hylafax HFaxD Unspecified Format String Vulnerability
BugTraq ID: 9005
Remote: Yes
Date Published: Nov 10 2003
Relevant URL: http://www.securityfocus.com/bid/9005
Summary:
Hylafax is a software package designed to handle the transmission of
Faxes.

Hylafax hfaxd (daemon) has been reported prone to an unspecified format
string vulnerability that may be exploited under non-standard
configurations to execute arbitrary instructions remotely as the root
user.

It has been conjectured that a remote attacker may design a string that
contains specially crafted format string specifiers, the attacker may then
transmit this string to the hfaxd server in a manner sufficient to trigger
the condition. The malicious format specifiers contained in this string
will be interpreted literally by the affected server; this may result in
arbitrary memory corruption and ultimately in the execution of arbitrary
attacker-supplied instructions in the context of the affected server.

This BID will be updated if and when explicit information regarding this
vulnerability is published.

Symbol Technologies PDT 8100 Default WEP Keys Configuration ...
BugTraq ID: 9006
Remote: No
Date Published: Nov 10 2003
Relevant URL: http://www.securityfocus.com/bid/9006
Summary:
The PDT 8100 is a wireless access point solution distributed and
maintained by Symbol Technologies.

A problem has been identified in the default configuration of the Symbol
Technologies PDT 8100.  Because of this, a local user may be able to gain
unauthorized access to network resources.

The problem is in the handling of WEP keys.  When a PDT 8100 is configured
the party configuring the device is not prompted to change the default WEP
keys configuration.  If this configuration is not changed, a user of the
device may access the WEP keys in plain text on the device.

The 8146-T2B940US model is known to be affected by this issue.  Other
models may also be affected.

[ hardware ]

Multiple Vendor Bluetooth Device Unspecified Information Dis...
BugTraq ID: 9024
Remote: Yes
Date Published: Nov 12 2003
Relevant URL: http://www.securityfocus.com/bid/9024
Summary:
Bluetooth is a wireless communication protocol which, amongst other
functions, is designed to allow interoperability between devices produced
by different vendors, such as a cellphone and headset.

Under certain configurations Bluetooth devices will allow an anonymous
user to establish a connection and carry out various actions. These modes
are typically called "discoverable" and "visible". It has been reported
that, even when the aforementioned modes have been disabled an anonymous
user may be capable of connecting to a Bluetooth device and accessing
sensitive information stored therein. This could allow an attacker to
expose phone book, calendar, and other sensitive information.

The precise technical details regarding this vulnerability have not yet
been made available. This BID will be updated as further information is
made available.

Spoofed Kernel Netlink Interface Message Denial of Service V...
BugTraq ID: 9027
Remote: No
Date Published: Nov 12 2003
Relevant URL: http://www.securityfocus.com/bid/9027
Summary:
The Linux kernel includes the use of an optional netlink driver, which
when used creates the netlink device. This device can be used to allow a
channel between the kernel and userland applications for the transfer of
data and other information. This data can be transferred through the use
of netlink datagrams and messages.

The glibc getifaddrs() function is designed to store a linked list of the
local systems network interfaces.

GNU Zebra is an open source implementation of TCP/IP routing software.  It
supports BGP-4, RIPv1, RIPv2 and OSPFv2 protocols. Quagga is a routing
software suite which was derived from GNU Zebra.

The Red Hat iproute package contains a variety of IP-based networking
utilities.

Applications which make use of the kernel netlink interface are said to be
prone to denial of service attacks.

It has been reported that applications implementing the use of the
getifaddrs() function may be prone to denial of service conditions. The
problem is said to occur due to the way spoofed netlink messages are
handled by the function. Due to this handling, it is said that a malformed
message transmitted to the process may in fact trigger a denial of
service.

The above condition is confirmed to occur on Red Hat 9 systems, however it
is not currently known if other operating systems or glibc versions are
directly affected.

Red Hat has stated that GNU Zebra, Quagga and iproute are also affected by
this vulnerability due to the way they interact with the netlink
interface; exploitation may result in a denial of service.

It is not currently known whether this condition is a problem within the
kernel netlink interface itself or if each application is implementing the
use of code which fails to properly handle specific netlink events. This
BID will be updated, as further information is made available.

GNU Zebra / Quagga  Remote Denial of Service Vulnerability
BugTraq ID: 9029
Remote: Yes
Date Published: Nov 12 2003
Relevant URL: http://www.securityfocus.com/bid/9029
Summary:
GNU Zebra is an open source implementation of TCP/IP routing software.  It
supports BGP-4, RIPv1, RIPv2 and OSPFv2 protocols. Quagga is a routing
software suite which was derived from GNU Zebra.

A vulnerability has been reported to be present in the software that may
allow a remote attacker to a cause a denial of service condition in the
software.  The issue is reported to occur if an attacker attempts to
connect to the Zebra or Quagga telnet management port while a password is
enabled.

The problem specifically occurs due to an invalid (typically NULL) pointer
dereference. This occurs because the vty layer fails to verify whether a
Telnet sub-negotation is currently in progress prior to handling an end
negotiation marker (SE). This will likely occur if the SE is received at
an unexpected time.

Successful exploitation of this issue may allow an attacker who passes a
malformed Telnet command to the server, to cause the software to behave in
an unstable manner leading to a crash or hang.

All versions of GNU Zebra are said to be vulnerable to this issue.  All
versions of Quagga prior to 0.96.4 are also vulnerable.

Clam AntiVirus E-mail Address Logging Format String Vulnerab...
BugTraq ID: 9031
Remote: Yes
Date Published: Nov 12 2003
Relevant URL: http://www.securityfocus.com/bid/9031
Summary:
Clam AntiVirus is an anti-virus product for Linux and Unix derived
operating systems.

Clam AntiVirus is prone to a format string vulnerability when logging
e-mail addresses.  This is due to incorrect usage of the syslog() function
to log e-mail addresses.  As a result, attackers may supply their own
format specifiers in e-mail addresses.  Remote attackers may be required
to craft an e-mail that may generate a loggable event, such as including
an AV test string in the message, to exploit this issue.

This vulnerability may be exploited to overwrite arbitrary locations in
memory with attacker-supplied values, resulting in execution of arbitrary
code. Denial of service attacks are also possible.  This will occur in the
context of the clamav user or root, depending on how the software is
invoked.

This issue only affects the clamav-milter component of versions later than
clamav-0.54, which include syslogging functionality.

Nokia Bluetooth Device Unauthorized Access Vulnerability
BugTraq ID: 9032
Remote: Yes
Date Published: Nov 12 2003
Relevant URL: http://www.securityfocus.com/bid/9032
Summary:
Bluetooth is a wireless communication protocol, which, amongst other
functions, is designed to allow interoperability between devices produced
by different vendors, such as a cellphone and headset.

The Bluetooth protocol allows for certain devices to be 'paired'. When
this occurs, the two devices form a trust relationship, under which a
trusted device may access the contents of the other. Reportedly, in some
situations this may include the entire memory space of the trusting
device.

A vulnerability has been discovered in two Nokia Bluetooth devices that
could result in unauthorized access from a device that is no longer
trusted. The problem occurs due to the Nokia devices failing to fully
remove trust relationships previously established between devices. Even
when a specific device is no longer listed as a 'paired', it is said that
it may still in fact have trusted access to the vulnerable device.

As a result, a malicious user whose device at one point was 'paired' with
another, could potentially have trusted access without the victim user
knowing. This action would go unnoticed, unless the victim user was
physically monitoring the display on their device. Due to an attacker
potentially having access to the entire memory space of the affected
device, this could lead to the cloning of certain devices.

Attacks such as this may be used by an attacker attempting to steal
another persons identify or other malicious actions.

The Nokia 6310i and 7650 models are said to be affected, however it has
been conjectured that a large number of Bluetooth enabled implementations
may be vulnerable.

[ hardware ]

FortiGate Firewall Web Interface Cross-Site Scripting Vulner...
BugTraq ID: 9033
Remote: Yes
Date Published: Nov 12 2003
Relevant URL: http://www.securityfocus.com/bid/9033
Summary:
FortiGate are a series of commercial firewall appliances which run an
embedded operating system entitled FortiOS.

Multiple cross-site scripting vulnerabilities have been reported in the
FortiGate Firewall web administrative interface.  These issues could be
exploited by enticing an administrative user to follow a malicious link
that includes hostile HTML and script code as values for URI parameters
for various vulnerable interface components.  If such a link is followed,
the hostile code may be rendered in the administrator's browser.  This
would occur in the context of the interface, allowing attacker-supplied
code to access properties of pages within the interface.  This could lead
to theft of cookie-based authentication credentials, which contain the
username and MD5 hash of the password, allowing for full compromise of the
firewall.

[ hardware ]

OpenSSH PAM Conversation Memory Scrubbing Weakness
BugTraq ID: 9040
Remote: No
Date Published: Nov 13 2003
Relevant URL: http://www.securityfocus.com/bid/9040
Summary:
OpenSSH is a freely available, open source implementation of the Secure
Shell protocol.  It is available for the Unix, Linux, and Microsoft
platforms.

An issue has been reported in the OpenSSH implementation of PAM
conversation functions.  Applications which use PAM modules for
authentication are required to include conversation routines to manage
communications between the application and the PAM module, providing a
means to prompt users for passwords or provide other functionality which
relies on PAM.  When a remote user connects to an OpenSSH server and
prematurely cancels the connection through a function such as Control-C,
OpenSSH does not correctly respond.  It has been reported that OpenSSH
ends the session with the pam_end() function rather than returning
PAM_CONV_ERR, which is the correct behavior according to the Linux-PAM
developer documentation.  As a result, PAM will not handle the aborted
conversation correctly and subsequently fail to scrub memory.  The direct
consequence is that sensitive information in memory is more likely to end
up in swap space or core dumps.

This problem may expose authentication credentials to recovery should an
attacker have sufficient privileges on the system to view core dumps or
system memory.  This issue may also expose other vulnerabilities in PAM
modules due to unpredictable behavior that could potentially lead to
stability issues and the compromise of sensitive credentials, information,
or privileges.